This is a demonstration service for using ssh via OpenID Connect (OIDC)

More detailed setup instructions for server and client are given at https://github.com/EOSC-synergy/ssh-oidc

Quick setup to test ssh/oidc (client side)

  1. Install and configure oidc-agent
    • Installation:
      • yum install oidc-agent
      • apt-get install oidc-agent
    • Configuration:
      • EGI Check-in: oidc-gen --pub --iss https://aai.egi.eu/auth/realms/egi --scope "openid profile email offline_access eduperson_entitlement eduperson_scoped_affiliation eduperson_unique_id" egi
      • WLCG: oidc-gen --pub --issuer https://wlcg.cloud.cnaf.infn.it/ --scope "openid profile offline_access eduperson_entitlement eduperson_scoped_affiliation wlcg.groups wlcg" wlcg
      • Helmholtz-AAI: oidc-gen --pub --iss https://login.helmholtz.de/oauth2/ --scope "openid profile email offline_access eduperson_entitlement eduperson_scoped_affiliation eduperson_unique_id" helmholtz
      • Google: oidc-gen --pub --iss https://accounts.google.com/ --flow device --scope max google
    • Alternative: Get an Access Token in any other way
  2. Install the motley cue client:
    • pip install mccli (this will give you the mccli commandline tool
  3. ssh to the ssh-oidc-demo machine:
    • mccli ssh ssh-oidc-demo.data.kit.edu --oidc <oidc-agent account name> (e.g. egi or wlcg from the above example)
    • If you got the Access Token in a different way:
      • export ACCESS_TOKEN=<your access token> mccli ssh ssh-oidc-demo.data.kit.edu

In case of questions and / or free beer, contact us at ssh-oidc@lists.kit.edu

Frequently Asked Questions

Are collected in our faq

Privacy Statement